Exin Exam CITM Topic 5 Question 4 Discussion

The correct sequence for a risk assessment, as per ISO 31000 and ISO/IEC 27001, is: Establish context --- identify --- analyse --- evaluate --- treatment (C).

Establish context: Define the scope, objectives, and criteria for the risk assessment (e.g., organizational goals, assets, and risk appetite).

Identify: Identify potential risks (e.g., threats and vulnerabilities) that could impact objectives.

Analyse: Assess the likelihood and impact of identified risks to determine their severity.

Evaluate: Compare risks against risk criteria to prioritize them for treatment.

Treatment: Implement controls or strategies to mitigate, avoid, transfer, or accept risks.

Option A: Incorrect, as ''monitor and review'' is a post-treatment step, not the starting point.

Option B: Incorrect, as ''communication'' is not a distinct step in risk assessment; it's embedded throughout.

Option D: Incorrect, as it skips ''establish context,'' which is essential for defining the assessment's scope.

This sequence ensures a structured, systematic approach to risk assessment, aligning with organizational objectives.